02-01-2011 04:53 PM - edited 03-11-2019 12:43 PM
I just wanted to let everyone know of a solution to an smtp routing issues I was having today....
With Cisco ASA and esmtp inspection enabled with an Exchange 2003 server behind the ASA, I was having problems sending & receiving emails.
I am running 8.3.2 on an ASA 5510, however this should apply to the 7.x ios and other ASA models as well. It should also apply to all versions of Microsoft Exchange, 2003, 2007 & 2010.
Incoming emails were either being delayed or not be received.
Outgoing emails were either being delayed or not being sent.
The Exchange SMTP logs were showing:
For Incoming emails:
dsn=4.0.0, stat=Deferred: 451 Timeout waiting for client input
For outgoing emails:
421+4.4.2+mtain-dl02.r1000. <domain name here> +Error:+timeout+exceeded
In addition, a number of incoming emails were being received with the body stripped out, and replaced simply with:
<<< No Message Collected >>>
Very troubling....
Solution:
Solution is to do a 'no inspect esmtp' on the global_policy_map.
The esmtp inspection is the replacement for the notorious fixup on PIX devices.
Hoping this helps someone else...
Here's the code:
CiscoASA(config)# policy-map global_policy
CiscoASA(config-pmap)# class inspection_default
CiscoASA(config-pmap-c)# no inspect esmtp
CiscoASA(config-pmap-c)# exit
CiscoASA(config-pmap)# exit
02-07-2011 01:25 PM
esmtp inspection protects against SMTP-based attacks by restricting the types of SMTP commands that can pass through the ASA. What you did, removes this functionality and lowers the security. When the inspection was enabled, did you look at the output of 'show service-policy' to see if there were any drops for esmtp inspection? If there were, you need to figure out what traffic is non compliant.
Admin,
Voipesec Network Solutions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide